Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NEL registration should be based on origin & restricted to HTTPS #42

Closed
igrigorik opened this issue Mar 19, 2015 · 4 comments
Closed

NEL registration should be based on origin & restricted to HTTPS #42

igrigorik opened this issue Mar 19, 2015 · 4 comments

Comments

@igrigorik
Copy link
Member

Feedback from Chrome security/privacy review:

  1. Current policy storage mechanism is insufficient because it's not based on origin concept.
  2. NEL qualifies as a powerful feature: persists state for an origin, provides access to sensitive data about users browsing behavior.

To address (1) we need to move to an origin-based registration, which would imply that http and https registrations would be treated separately. That said, to address (2), we also need to scope NEL to https-only -- i.e. registration must happen over https and NEL is only exposed to sites using https, ala Service Worker and other powerful features.

/cc @mikewest @slightlyoff @mnot @mcmanus @annevk
@mcmanus
Copy link

mcmanus commented Mar 20, 2015

I support this as an https only feature. I'm not a big fan of trying to assess the powerfulness of features, but I do believe that all web level additions that don't have compatibility concerns should be restricted to https. And in this case both of those philosophies happily lead us to the same place - https only.

(I'm cool with origins too.)

@annevk
Copy link
Member

annevk commented Mar 20, 2015

It's not entirely clear to me what kind of errors would be logged and which would be ignored.

@yoavweiss
Copy link
Contributor

Can we detail the risks of serving NEL over HTTP? What's the attack vector we're trying to protect users from?

@igrigorik igrigorik mentioned this issue Mar 23, 2015
Closed
@igrigorik
Copy link
Member Author

In terms of risks and attack vectors (courtesy of Ryan Sleevi):

Privacy: NEL gives site operators a number of bits of information about the users' network, both transient state and long-term connection information that they didn't have access to before - e.g. attacker could abuse NEL error reporting to probe users state and network configuration.

Persistence: similar to the Service Worker setup (without HTTPS), this allows a transient HTTP MITM to pivot NEL into a persistent tracker for the user. Unlike SW, there isn't a requirement on policy refresh or the like, which thus allows even more permanence in access. Further, same attacker could customize a reporting URI (per-user), along with generalized fault injection at a later time, to enable high-resolution targeting/identification of users.

In short, we hit at least three categories for privileged contexts: access to sensitive data, persistent identifiers, state for an origin. Hence HTTPS.

@igrigorik igrigorik mentioned this issue Mar 24, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@igrigorik @mcmanus @yoavweiss @annevk